By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

an XML flaw in Internet Explorer.

SearchSecurity.com:

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Initial reports of attacks in the wild said that only IE 7 was targeted, but after further investigation, Microsoft extended its warning to include all versions of the browser. A group of Chinese security researchers admitted to mistakenly releasing the code in the wild. The exploit is being tied to the Chinese Knownsec security team, which wrote a blog post explaining the blunder.

Paul Henry, security and forensic analyst at patch management vendor Lumension Security, said that within a day of the flaw details being released, he was able to download proof-of-concept code.

"The browser has become the gateway onto the network," he said. "Web based malware is a huge problem and people aren't patching their browsers."

Since the discovery of attacks in the wild on Dec. 11, Microsoft said that 1 in 500 Internet users may already be infected. The software giant said hackers are planting the exploit on websites using SQL injection techniques. A successful attack infects systems with the Downloader-AZN Trojan, which then connects to a remote website and downloads additional malware. Although attacks have been limited, security experts warned that if carried out successfully, they could give an attacker the same user rights as the local user, and ultimately the ability gain access to sensitive data.

Eric Schultze, chief technology officer of patching vendor Shavlik Technologies, called media reports of the IE flaw overblown. Some called for users to switch to alternative browsers. The attack is no different than other zero-day flaws reported in the past, and now with a patch released users will be protected, he said.

"Those so called legit websites passing on this infected exploit have many more issues to deal with," Schultze said in a phone interview. "The attackers seemed to have taken a liking to this particular issue, actually hacking into Web servers to inject code and infect sites."

Prior to the patch release, Microsoft recommended several workarounds. Those that implemented them found that it broke functionality for some internal applications, Schultze said. Some security pros who implemented the workarounds will now have to deploy the patch and reverse them.

"In some cases they thought it was a serious enough threat to implement the workarounds anyway," he said. "It's a risk reward thing."

Danish vulnerability clearinghouse Secunia has given the flaw an extremely critical rating because it is being actively exploited.

This fix marks the second time in only two months that Microsoft has released a security patch outside of its monthly cycle. It usually issues patches on the second Tuesday of each month. Microsoft issued an out-of-cycle patch in October, correcting a dangerous remote procedure call (RPC) error. That flaw was also being actively exploited in the wild. Prior to that, Microsoft released a patch in April 2007, fixing a Windows ANI curser handling flaw.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy